fidzu : Security

Addressing preventable downtime and degradation is becoming easier, with analysts and vendors focused on network change and configuration management (NCCM). Automated NCCM tools provide an opportunity to reduce the downtime and degradation caused by configuration changes by ensuring uniform configurations and by minimizing the impacts of human error inherent in manual configuration changes. Independent NCCM tools, however, are not enough on their own. In this white paper, learn how to realize these key benefits resulting from incorporating network configuration change capabilities into change-aware fault management tools.

23 Jul 2008 9:55pm GMT

If you are using FTP to transfer files to or from your Windows servers, you may be putting your sensitive data at risk. Learn how Secure Shell (SSH) for Windows servers can secure your file transfers, your system administration tasks, and more.

23 Jul 2008 9:55pm GMT

Via The BBC.

More than 500,000 official "spying" requests for private communications data such as telephone records were made last year, a report says.

Police, security services and other public bodies made requests for billing details and other information.

Interception of Communications Commissioner Sir Paul Kennedy said 1,707 of these had been from councils.

A separate report criticises local authorities for using powers to target minor offences such as fly-tipping.

More here.

23 Jul 2008 7:22pm GMT

Jon Leyden writes on The Register:

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.

Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day - or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.

Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.

More here.

23 Jul 2008 7:14pm GMT

Dan Goodin writes on The Register:

A Romanian man has admitted he took part in a sophisticated phishing scam that targeted PayPal and at least nine other financial institutions by tricking their customers into giving up their account credentials.

Ovidiu-Ionut Nicola-Roman, 22, of Craiova, Romania, pleaded guilty in federal court in Bridgeport, Connecticut, on Tuesday to one count of conspiracy to commit fraud. He faces a maximum of five years in prison and a fine of $250,000, although prosecutors agreed to recommend a reduced sentence if he complies with the terms of his plea agreement.

In an indictment filed in January, Nicola-Roman and six other Romanians were accused of running a well-organized operation that involved a combination of social engineering and computer hacking. An email purporting to come from the Brattleboro Savings & Loan Ass'n, for instance, informed customers their online accounts were temporarily unavailable while administrators upgraded the system.

More here.

23 Jul 2008 7:11pm GMT

RE: Windows Vista Power Management & Local Security Policy

23 Jul 2008 6:34pm GMT

Scammer faces five years in slammer

A Romanian man has admitted he took part in a sophisticated phishing scam that targeted PayPal and at least nine other financial institutions by tricking their customers into giving up their account credentials.…

23 Jul 2008 6:14pm GMT

The need to pay attention to security never goes away. Fortunately, operating system vendors continue to improve their platforms, and they have made great progress in security. Traditional stack or heap overflows have become more difficult to exploit. However, we cannot become complacent because it's clear that hackers have transferred their attention to third-party software. Some popular applications have become targets for viruses and Trojans. Just recently, many vulnerabilities were found and exploited in several popular programs: Real Player (CVE-2007-5601), Yahoo Messenger (CVE-2007-5017), Adobe Acrobat Reader (CVE-2008-2641), and Flash Player (CVE-2007-0071). All of these were found to have remote code-execution vulnerabilities, and actual exploits can be found on the Internet. So although the majority of users has installed the latest operating-system patches, they are still at risk to be attacked via third-party vulnerabilities.

A few days ago, I witnessed an actual exploit occur at a friend's home. He was running Microsoft Windows Vista, and the attack was targeted at RealPlayer. His mistake was that he had disabled the User Access Control functionality of Vista because he did not like the alerts. So he didn't get any warning prompts except when a message box showed that RealPlayer would close before the malicious code ran. I then saw many cmd.exe and other suspicious processes start. Windows Vista has the best security so far in the Windows family; nonetheless, all of this happened.

Watching this attack made me think of enterprise security. Businesses cannot pay attention only to operating system vulnerabilities. They need to pay attention to third-party software as well. Currently securiy in third-party software is no better than that in operating systems. So the best practice I can recommend is to use risk and compliance software to scan and find third-party software that doesn't match enterprise policy. The final step is to update or delete these applications.

23 Jul 2008 5:10pm GMT

Today, I'm pleased to announce that after a very long development and beta testing effort, we have released VIPRE Antivirus + Antispyware. This is the consumer version; the enterprise version will be shipping next week. Company propaganda here, earlier beta announcement (with more information) here. Some reviewers also took an early peek at the beta - including Robert Vamosi at CNET and John Hawes at Virus Bulletin.

Those who have been following this blog may have read some of my prior postings, which started out with a blog post early last year entitled Evolving the Antimwalware Technology Model. In that blog post, I discussed how antivirus products have had to adapt to a rapidly changing environment.

The flood of malware these days is just mind-boggling, and the tools needed will require constant reevaluation and new thinking. However, it starts with the platform: Our first task was to make everything from scratch, a blank slate, in order to start off without any legacy code and bloat, using the latest concepts in software development. The second was to create a product that successfully combined antivirus and antispyware functionality, since those two concepts are no longer separate (all users cares about is malware, not some semantic argument about the definition of a trojan, or whether a commercial keylogger should be tagged in a system scan, or whether adware is acceptable or not).

But it goes further than just bloat and performance: It's a problem with our industry. People generally just hate antivirus vendors (I don't use the term "hate" lightly, as I've seen the user surveys). People are angry with resource hogging applications. They're upset about missed malware, and poor support coming from some distant overseas call center. They're tired of "scan and scare" tactics. And they're very upset about price gouging and abuse of the software subscription process (such as the now common and shameful practice of negative option billing - automatically charging your credit card without your explicit permission.)

And the users are right. Something has to change.

VIPRE is not just a product that answers the call for better performance. It's also about other ideas, such as fair pricing, responsive support, ethical (not "scan and scare") marketing, responsible subscription practices, and so on.

Ok, off my soapbox. Please feel free to download the trial version and give it a whirl, and don't hesitate to email me directly with your thoughts.

(The new CounterSpy 3.0 will also be released soon, likely before the end of the month.)

Alex Eckelberry

23 Jul 2008 3:47pm GMT

Featured links from the CNET Blog Network

Will Google destroy Digg or take it to the next level?--If Google does indeed acquire the social news site, Digg, what will become of the popular service?

Does Facebook's Sheryl Sandberg have her ad numbers right?--Facebook CEO Sheryl Sandberg says that 90 percent of all advertising money spent is on brand awareness. Is that really true?

Five quick and useful Google Calendar tweaks--Keep events private, change your default view, add weather info, use keyboard shortcuts, and import specialty calendars.

Post-SP3 patch breaks Windows Update--I broke Windows Update on two XP machines.

23 Jul 2008 3:37pm GMT

[ MDVSA-2008:152 ] - Updated wireshark packages fix denial of service vulnerability

23 Jul 2008 3:36pm GMT

RE: Windows Vista Power Management & Local Security Policy

23 Jul 2008 3:36pm GMT

AST-2008-011: Traffic amplification in IAX2 firmware provisioning system

23 Jul 2008 3:36pm GMT

AST-2008-010: Asterisk IAX 'POKE' resource exhaustion

23 Jul 2008 3:36pm GMT

In a case that will have profound implications, the European Court of Human Rights has issued a judgment against Finland in a medical privacy case.

The complainant was a nurse at a Finnish hospital, and also HIV-positive. Word of her condition spread among colleagues, and her contract was not renewed. The hospital's access controls were not sufficient to prevent colleages accessing her record, and its audit trail was not sufficient to determine who had compromised her privacy. The court's view was that health care staff who are not involved in the care of a patient must be unable to access that patient's electronic medical record: "What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place." (Press coverage here.)

A "practical and effective" protection test in European law will bind engineering, law and policy much more tightly together. And it will have wide consequences. Privacy compaigners, for example, can now argue strongly that the NHS Care Records service is illegal. And what will be the further consequences for the Transformational Government initiative - the "Database State"?

23 Jul 2008 3:26pm GMT

In today's podcast: San Francisco gets back passwords; Yahoo! results; Spam king sentenced.

read more

23 Jul 2008 3:04pm GMT